Add rbac support to fluentd-elasticsearch

2025-07-28 14:07:14 +00:00 · 2017-05-22 10:47:48 +02:00 · 2017-05-22 10:47:48 +02:00 · 4bc0da349d
commit 4bc0da349d
parent 3999de6d43
8 changed files with 91 additions and 0 deletions
--- a/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml
+++ b/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml
@ -0,0 +1,17 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: elasticsearch-logging
+  labels:
+    k8s-app: elasticsearch-logging
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  - "namespaces"
+  - "endpoints"
+  verbs:
+  - "get"
--- a/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml
+++ b/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml
@ -0,0 +1,18 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  namespace: kube-system
+  name: elasticsearch-logging
+  labels:
+    k8s-app: elasticsearch-logging
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+- kind: ServiceAccount
+  name: elasticsearch-logging
+  namespace: kube-system
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: elasticsearch-logging
+  apiGroup: ""
--- a/cluster/addons/fluentd-elasticsearch/es-controller.yaml
+++ b/cluster/addons/fluentd-elasticsearch/es-controller.yaml
@ -20,6 +20,7 @@ spec:
        version: v1
        kubernetes.io/cluster-service: "true"
    spec:
+      serviceAccountName: elasticsearch-logging
      containers:
      - image: gcr.io/google_containers/elasticsearch:v2.4.1-2
        name: elasticsearch-logging
--- a/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml
+++ b/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: elasticsearch-logging
+  namespace: kube-system
+  labels:
+    k8s-app: elasticsearch-logging
+    version: v1
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml
@ -0,0 +1,18 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: fluentd-es
+  labels:
+    k8s-app: fluentd-es
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "pods"
+  verbs:
+  - "get"
+  - "watch"
+  - "list"
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml
@ -0,0 +1,17 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: fluentd-es
+  labels:
+    k8s-app: fluentd-es
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+- kind: ServiceAccount
+  name: fluentd-es
+  namespace: kube-system
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: fluentd-es
+  apiGroup: ""
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
@ -21,6 +21,7 @@ spec:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
+      serviceAccountName: fluentd-es
      containers:
      - name: fluentd-es
        image: gcr.io/google_containers/fluentd-elasticsearch:1.22
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluentd-es
+  namespace: kube-system
+  labels:
+    k8s-app: fluentd-es
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile